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ABSTRACT 

We show that it is decidable whether a transitive mixed linear relation has an a;-chain. 
Using this result, we study a number of liveness verification problems for generalized 
timed automata within a unified framework. More precisely, we prove that (1) the 
mixed linear liveness problem for a timed automaton with dense clocks, reversal-bounded 
counters, and a free counter is decidable, and (2) the Presburger liveness problem for a 
timed automaton with discrete clocks, reversal-bounded counters, and a pushdown stack 
is decidable. 

Keywords: Mixed linear relations; w-chains; timed automata; liveness; safety. 

1. Introduction 

In the area of model-checking, the search for efficient techniques for verifying 
infinite-state systems has been an ongoing research effort. Much work has been 
devoted to investigating various restricted models of infinite-state systems that are 
amenable to automatic verification for some classes of temporal properties, e.g., 
safety and liveness. A timed automaton is one such model. A timed automaton 
[2] is a finite automaton (over finitely many control states) augmented with dense 
clocks. The clocks can be reset or progress at the same rate, and can be tested 
against clock constraints in the form of clock regions (i.e., comparisons of a clock 
or the difference of two clocks against an integer constant, e.g., x — y < Q, where 
X and y are clocks.). The most important result in the theory of timed automata 
is that region reachability for timed automata is decidable [2]. This result has 
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been used in defining various real-time logics, model checking algorithms and tools 

[1, 3, 16, 17, 21, 22, 23, 25] for verifying real-time systems. 

However, region reachability is not strong enough to verify many complex tim- 
ing requirements not in the form of clock regions (e.g., "xi — X2 > 2{x3 — X4) is 
always true") for timed automata. Recently, decidable binary reachability (i.e., the 
set of all pairs of configurations such that one can reach the other) characterizations 
for timed automata and their generalizations were obtained [8, 9, 10]. The charac- 
terizations opened the door for automatic verification of various real-time models 
against complex timing requirements. For instance, a flattening technique was used 
by Comon and Jurski [8] to establish that the binary reachability of timed automata 
is definable in the additive theory of the reals and integers. A timed automaton 
can be augmented with other unbounded discrete data structures such as a free 
counter and reversal-bounded counters. A (free) counter is an integer variable that 
can be incremented by 1, decremented by 1, and tested against 0. A counter is 
reversal-bounded if the number of times it alternates between nondecreasing and 
nonincreasing mode and vice- versa is bounded by some fixed number independent 
of the computation [19]. A pattern technique was proposed by Dang [9] to ob- 
tain a decidable binary reachability characterization on some "storage-augmented" 
timed automata. For instance, suppose that ,4 is a timed automaton (with dense 
clocks Xi and X2) augmented with two reversal-bounded counters j/i and 7/2, and 
a free counter 2/3. The result of Dang [9] implies that the binary reachability of 
A is definable in the additive theory of the reals and integers. Therefore, we can 
automatically verify the following safety property, which contains linear constraints 
on both dense variables and unbounded discrete variables, 

"Given two control states si and S2, if A starts at Si in a configuration 
satisfying xi — 2x2 + yi — 2y2 + 2/3 > 5, then whenever A reaches S2, its 
configuration must satisfy xi + X2 < y2 — 2y3 -|- 2." 

In contrast to safety properties, liveness properties considered in this paper 

involve properties on infinite executions of A. For instance, consider an infinite 
execution that passes some control state for infinitely many times. A mixed linear 
constraint on clocks and counters in A may or may not be satisfied whenever A 
passes the control state. Is there an infinite execution on which the constraint is 
satisfied for infinitely many times at the control state? An example liveness property 
would be like below: 

"Given two control states si and S2, if A starts at si in some configu- 
ration satisfying xi — 2x2 + Vi — 2y2 + ya > 5, then A has an infinite 
execution on which X1+X2 < 2/2 — 2y3 -|- 2 is satisfied at S2 for infinitely 

many times." 

This kind of liveness properties have a lot of applications such as whether concurrent 
real-time processes are livelock-free, starvation-free, etc. Can this liveness property 
be automatically verified for A? 

We approach this question by looking at mixed linear relations R that are rela- 
tions on real and integer variables definable in the additive theory of the reals and 
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integers. We first prove the main theorem that the existence of an w-chain for R is 

decidable when R is transitive. This proof is done by eliminating quantifiers from 
R using a recent result of [24] and expressing R into mixed linear constraints. The 
decidable result follows from the fact that the existence of an w-chain for R forces 
R to have a special format. Notice that the transitivity of R is critical; removing 
it from R obviously causes the existence of an w-chain undecidable (e.g., encoding 
the one-step transition relations of a two-counter machine into R). 

Recall that the binary reachability of ^ is a transitive mixed linear relation. The 
above livcncss question can be reduced to the existence of an cj-chain for some mixed 
linear relation easily constructed from the binary reachability. Therefore, a direct 
application of the main theorem gives a positive answer to the question. We may 
also use the main theorem to verify a class of pushdown systems. For instance, sup- 
pose that V is a pushdown automaton. Consider the following Presburger liveness 
property: 

"Given two states Si and S2, from some configuration at Si satisfying 
Ha — > ricV has an infinite execution on which Ua + rib < Sric holds 
at S2 for infinitely many times," 

where count variable Ua indicates the number of symbol a's in the stack word in 
a configuration. This paper provides a technique to reduce this property into the 
existence of an w-chain for some Presburger relation, which is a special form of 
mixed linear relations. Therefore, using the main theorem, the above property can 
be automatically verified for V. In fact, we show the result for a more powerful class 
of pushdown systems: V can be a pushdown automaton augmented with reversal- 
bounded counters and integer-valued clocks. This class of pushdown systems can 
be used to model a class of real-time recursive programs. The Presburger liveness 
properties for this class of pushdown systems then contain Presburger formulas on 
count variables, reversal-bounded counters and discrete clocks. 

The techniques presented in this paper are different from our previous papers [12, 
11] on liveness verification. In those two papers, we only deal with the Presburger 
liveness problems for discrete timed automata (i.e., timed automata with integer- 
valued clocks) [12] and for reversal-bounded counter machines with a free counter 
(NCMFs) [11], respectively. Both of the papers are based upon analyzing loops in 
the machines. In particular, the key idea in [12] is to make discrete timed automata 
static (i.e., enabling conditions can be removed) and memoryless (i.e., two integer 
clock values are somewhat unrelated if they are separated by a large number of 
clock resets). But, the idea cannot be easily extended to dense clocks. The key 
idea in [11] is to partition an execution of an NCMF into phases such that reversal- 
bounded counters are monotonic in each phase. Then, a technique is used to reduce 
the NCMF into one with only one free counter, with respect to the liveness property. 
But, we were not able to extend the idea when the free counter is replaced by a 
pushdown stack. The techniques presented in this paper, however, allows us to 
handle, in a unified framework, a stronger class of systems: timed automata with 
dense clocks, reversal-bounded counters, and a free counter. In addition, we can 
deal with a class of generalized pushdown systems. 
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The paper is organized as follows. Section 2 gives the basic definitions and 
preliminary results that arc used in the paper. Sections 3 through 5 present the 
proof of the main theorem; i.e., it is decidable whether a transitive mixed linear 
relation has an w-chain. Section 6 applies the main theorem in showing the decidable 
results on the mixed linear liveness problem for a timed automaton augmented with 
reversal-bounded counters and a free counter and on the Presburger liveness problem 
for a discrete timed automaton augmented with reversal-bounded counters and a 
pushdown stack. Finally, Section 7 concludes with some remarks. 

2. Preliminaries 

Let TO and n be positive integers. Consider a formula 

^ ttiXi + ^ bjyj ~ c, 

l<z<m l^i^^ 

where each Xi is a real variable, each yj is an integer variable, each Oj, each bj and 
c are integers, 1 < i < m,l < j < n, and ~ is =, >, or =a for some integer d > 0. 
The formula is a mixed linear constraint if ^ is = or >. The formula is called a 
dense linear constraint if ~ is = or > and each bj = 0, 1 < j < n. The formula 
is called a discrete linear constraint if ~ is > and each a, = 0, 1 < i < m. The 
formula is called a discrete mod constraint, if each = 0, 1 < i < to, and ~ is =d 
for some integer d > 0. 

A formula is definable in the additive theory of reals and integers ( resp. reals, 
integers) if it is the result of applying quantification (3) and Boolean operations 
and a) over mixed linear constraints (resp. dense linear constraints, discrete linear 
constraints); the formula is called a mixed formula (resp. dense formula, Presburger 
formula). It is decidable whether the formula is satisfiable. It is well-known that a 
Presburger formula can always be written, after quantifier elimination, as a disjunc- 
tive normal form of discrete linear constraints and discrete mod constraints. It is 
also known that a dense formula can always be written as a disjunctive normal form 
of dense linear constraints. Can we eliminate quantifiers in mixed formulas? The 
answer is not obvious. This is because a mixed formula like 3y{xi — X2 — y), after 
eliminating all the quantifiers, is not always in the form of a Boolean combination 
of mixed linear constraints. 

A real variable x can be treated as the sum of an integer variable (the in- 
tegral part of x) a;-*-"* and a real variable (the fractional part of x) x^'^^'^ with 
X = a;^"* + x^^'^ and < x^'^'^'^ < 1. A mixed formula R{xi, • • • , Xm, • • • , J/n), 
where xi, • • • , Xm, yi, - ■ ■ ,yn are the free variables, can therefore be translated into 
another mixed formula R (called R's separation): 

Rixl'^' + arf «^ • • • , a;^* + ar^«^ yi, • • • , y„) A < < < 1 A • • • A < x^^'^ < 1. 

Notice that the separation R contains real variables xf'''*^, • ■ • ,x^'^'^ and integer 
variables a;'"*, • • • , x^^, t/i, • • • , y„. The following result can be easily obtained from 

[24], in which the separation can be written into a Boolean combination of dense 
linear constraints, discrete linear constraints, and discrete mod constraints. A nice 
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property of the Boolean combination is that real variables and integer variables 

are separated: each constraint in the combination either contains real variables 
^Frac^ • • • , x^'^'^ Only Or contains integer variables x'"*, • • • , yi, • • • i J/n only. 
Theorem 1 The separation of any mixed formula can be written into a Boolean 
combination of dense linear constraints, discrete linear constraints, and discrete 
mod constraints. 

Definition 1 R is a mixed linear relation if it is a mixed formula i?(X, Y, X', Y') 
over 2m real variables X = xi, - ■ ■ ,Xm and X' = x[, - ■ ■ , x'^ and 2n integer vari- 
ables Y = yi, • • • , y„ and Y' = y[,---, y'^. 

We use U to denote an m-ary real vector and use V to denote an n-ary integer 

vector. 

Definition 2 A mixed linear relation R is transitive if for all U, V, U', V', U", V", 
R(U, V, U', V) Ai?(U', V, U", V") implies R(U, V, U", V") . An infinite sequence 
(UO,VO),---,(U'=,V'=),-- - is anw-chain of R if i?(U^ V'=, U'^+i, V'^+i) holds for 
all k > 0. The sequence is a strong w-chain of R if it is an oj-chain of R satisfying 
i?(U'=i , V*^! , U*^^ , V"^ ) for all < fci < A;2 . 

Notice that, if R is transitive, then any subsequence 

(u*^v'«),•••,(u'^v^''),••• 

(with < io < • • • < U < • • •) of an w-chain (U°, V°), • • • , (U'', V''), • • • is also an 
w-chain of R. According to the definition of the separation R (which is also a mixed 
linear relation) of a mixed linear relation R and Theorem 1, the following lemma 
can be proved. 

Lemma 1 (1). A mixed linear relation is transitive iff its separation is transitive. 
(2). A mixed linear relation has an uj- chain iff its separation has an lo- chain. 

3. A Technical Lemma 

We will show that it is decidable whether a transitive mixed linear relation R 
has an w-chain. From Lemma 1, it suffices to work on the separation of R; i.e., from 
Theorem 1, we assume that R itself is already in the form of a Boolean combination 
of dense linear constraints (with each real variable taking values in [0, 1)), discrete 
linear constraints, and discrete mod constraints. That is, ii(X, Y, X', Y') can be 
written as a disjunction 

RiM ■■■y Rp (1) 
for some p, where each Ri is a conjunction of 

Si A Ti. 

Each Si is a conjunction of I dense linear equations 

A /^^(X)+Qj,.(X')=cJ,., (2) 
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followed by I dense linear inequalities 

/\ 4(x)+q2^.(x')>4, (3) 

with X and X' taking values in [0, 1)™. Each Tj is a conjunction of I discrete linear 
inequalities 

/\ P3(Y)+Q3.(Y')>4, (4) 

1<3<1 

followed by I discrete mod constraints 

A p^(Y) + g4(Y') 4. (5) 

Notice that discrete linear equations like yi + 2y2 = 3 can be expressed in discrete 
linear inequalities such as yi + 2y2 > 2 A —yi — 2j/2 > —4. Also notice that the 
negation of a discrete mod constraint like yi + 2y2 ^5 3 can be expressed into a 
finite disjunction of mod constraints in (5). Each P^'j and each Q^- for h = 1,2 (resp. 
h = 3,4) are linear combinations (with integer coefficients) over real variables (resp. 
integer variables). 

Mod constraints in (5) can be eliminated using the following procedure. Take 

d= Yi ^ij- 

l<i<pS<j<l 

Let d be an n-ary integer vector taking values in {0, • • • , d— 1}". Let R'{X., Z, X', Z') 
be 

y R{X, dZ + d, X', dZ' + d') 

d,d' 

by substituting Y with dZ + d and Y' with dZ' + d' in i?(X, Y, X', Y'), for all 

possible choices of d and d'. Clearly, 

• i? is transitive iff R' is transitive, and 

• R has an w-chain iff R' has an w-chain. 

In R', there are no mod-constraints, since, after the substitution, the truth value of 
each mod-constraint in (5) is known (according to the choice of d and d'). Hence, 
we may assume that R itself does not contain mod-constraints in (5). 
Consider an infinite sequence 

(uo,vO),•••,(u^v'=),••.. 

Let /(X, Y) be a term that is a linear combination of real variables X and integer 
variables Y. The term is increasing (resp. decreasing, flat) on if /(U'^, V*') < 
/(U*=+i, V*=+i) (resp. /(U^ V'^) > /(U'^+S V^+i), /(U^ V^) = /(U'^+S V^+i)), 
for each fc > 0. The term is bounded increasing (resp. bounded decreasing) on 
if / is increasing (resp. decreasing) on and there is a number b such that 
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/(U'=,V*=) < b (resp. /(U*^,V'=) > b) for all A; > 0. The term is unbounded 

increasing (resp. unbounded decreasing) on if / is increasing (resp. decreasing) 
on and / is not bounded increasing (resp. decreasing) on C^. The term of / 
could (but need not) be in one of the following five modes on C^: 

(model) unbounded increasing, 

(mode2) unbounded decreasing, 

(modeS) flat, 

(mode4) bounded increasing, 

(modc5) boimdcd decreasing. 
Clearly, when / only contains real variables, (model) and (mode2) are impossible 
(since each real variables is assumed in [0, 1)); when / only contains integer variables, 
(mode4) and (modc5) arc impossible. 

Wo observe that, since R is transitive, R has an cj-chain iff R has an a;-chain 
on which each real variable a; £ X (as well as each integer variable y G Y, and each 
term P-j and Q^-, /i = 1, 2, 3, 1 < i < p, 1 < j < Z) is in one of the five modes on 
. A mode vector M is used to indicate the chosen mode for each of the variables 
and the terms. There are at most 3™3"33p'33pi distinct mode vectors. Therefore, 
in order to decide whether R has an w-chain, we only need to decide whether R 
has an w-chain with some mode vector A\. In the sequel, we use the following 
abbreviation. 

Definition 3 An co-chain is monotonic of mode A4 (or simply, monotonic when 
M. is understood) if the chain is with mode vector M . 

Now, we are ready to prove the following lemma using the pigeon-hole principle. 

Lemma 2 Suppose that R is a transitive mixed linear relation in the form of R = 
i?i V • • • V where each Ri is a conjunction of atomic formulas in (2,3,4,5). Then, 
R has an co-chain iff Ri has a monotonic and strong u-chain for some 1 < i < p 
and some mode vector M.. 

Proof. (=^'). Assume that R has an w-chain 

(u°,v°),•••,(u^v'=),••• (6) 

that is monotonic for some mode vector M.. i?(U'^i, V'^^.U'^^, V*^^) holds for any 
< fci < ^2, since R is transitive. Recall that R = R\ y ■ ■ ■ W Rp. Notice 
that each Ri is not necessarily transitive. The following technique generalizes 
the one presented in [11]. We use a predicate I{ki,k2,i) to indicate < fci < 
fca A i?j(U'=i, V'=i,U'=2, V'=2)_ Clearly, for any ki,k2 with Q < ki < ka, there 
is an i (1 < i < p) such that I{ki,k2,i) holds. Define I'{ki,i) as Wk3k2{k2 > 
k A I{ki,k2,i)). Hence, I'{k\,i) is true iff there are infinitely many ^2 satisfying 
/(fci, k2,i). Since i is bounded (i.e., 1 < J < p), for each ki, there is an i satisfying 
I'{ki,i). Therefore, there is an io (1 < *o < p), such that 

Vk3ki{ki> kAl'{ki,io)). (7) 

That is, there are infinitely many fci satisfying /'(fci, io). According to the definition 
of /' and /, formula (7) can be translated back to the following formula: 

Vfc3fci > fcVfc' > fci 3fc2 > k'Ri, (U''! , V'=i , U*^^ , V'^^' ) . (8) 
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Since is monotonic, there is a U £ [0, 1]™ such that UmU'^ = U. In addition, 

QljiU''), 0?„j(U'=), and Ql^iV'') in {R,, is given in the form of (2), (3), and 
(4)) are aU monotonic wrt k. Hence, formula (8) can bo strengthened into 

Vfca/ci > k3k' > fci Vfc2 > k'Ri, (U^^^ , Y''' , U'^^^ , V'^^^ ) . (9) 

That is, there are infinitely many ki such that, for each of these ki, there is a fc' > ki 
satisfying i?^^ V*^! , 11*^2 Vfc2 ) foj. > From these infinitely many ki's, 

we select any strictly increasing infinite sequence 

k° ■■■ k'^ ■■■ 

For each k^, we can pick a A;| from (9) (treating kf as fci and fcl as ^2). By making 
each /cj large enough, we can obtain a strictly increasing infinite sequence 

k° ■■■ 

"•2 > > "'2 ' 

Notice that, from (9), for each q, 

Vfc > A;|i^i„(U'=l,V'=l,U^V'=). (10) 

Now, wc define a sequence of indices as follows. Let to = 0. Pick ti as any number 
satisfying to < ti and kl° < Pick t2 as any number satisfying ti < t2 and 
fcj^ < , and so on. The existence of each tq is guaranteed by the monotonicity of 
the two sequences fc? , ■ • • , fc', • • • and ^2, • • • , fcf, • • • • It is easy to verify 

RioiV'i ,V''i ,U''i ,¥"1 ) 
holds for each q >0 according to the choice of each tq and (10). Hence, 

(uC, v'^^" ),■••, (U'=*i',V'=*i''),-- • 

is an w-chain of Ri^, which is also monotonic of mode Ai. Notice that the u>- 
chain is also a strong w-chain of Ri^ . This is because of the definition of tq and 

(10). Therefore, we have already shown that, if R has an w-chain, then Ri^ has a 
monotonic and strong w-chain for some «o and M.. 

(<;=). Obvious. □ 
Recall that Ri = Si A Ti where 5*^ contains only dense variables and Tj contains 
only integer variables. Therefore, for any M, Ri has a monotonic and strong w- 
chain iff both Si and T, have a monotonic and strong w-chain. Hence, from now on, 
we will focus on Si and Tj separately by looking at the following two problems: 

1. whether 5* has a monotonic and strong w-chain, where 5 is a conjunction of 
dense linear equations in (2) and inequalities in (3); 

2. whether T has a monotonic and strong w-chain, where T is a conjunction of 
integer linear inequalities in (4). 

Notice that S and T are not necessarily transitive. Solutions to the problems 
are given in the following two sections. 
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4. The Existence of w-chains for Dense Linear Equations and Inequalities 

Assume that 5 is a conjunction of I dense Unear equations Pj^(X) + Qj(X') = cj 

and I dense linear inequalities P'j{'K) + Q^(X') > c^. Each dense variable takes 
values in [0. 1). Let M. he & mode vector (on each dense variable, each term Pj, 
Q], P/, 1 < i < 0- We use V", and "\" to stand for "bounded 

increasing", "flat" and "bounded decreasing", respectively (the other two modes 
"imboundcd increasing" and "unbounded decreasing" are not possible for dense 
variables and dense terms). Assume that 

u^•••,u^■•• 

is a monotonic and strong w-chain U'^ of S, for a given A4. Therefore, S'(U'^% U''^) 
holds for any < ki < k2 (notice that S itself is not necessarily transitive.). Since 
dense variables take values in [0, 1), we have limU''' — U for some U G [0, 1]™. 

A number of observations can be made on U"' and Ai. For instance, each 
variable x G X (as well as each term Pj^ Qj, P'j ^ Qp has a mode (given in 
M) on U". In particular, for a linear equation like -P/(X) + (5j(X') = c], the 
mode of Pj and the mode of Qj must be flat. How about a linear inequality 
like P/(X) + (5|(X') > cp Let us consider the case when M{Pj) =\ and 
■M{Qp =/'• In this case, since limU*^ ~ U, we can easily conclude that, for 
any ki < fca, P/(U'=0 > Pf{lJ''') > P/(U), g^U'^O < Qf(U'=2) < Qf(U), 
Pj(V) + <3j(U) > Cj. Similar conclusions can be made for all the other possible 
choices for Ai{Pj) and Ai{Qp. Combining all these observations, we obtain that, 
for any ki < ^2, H{\J,\J'^\\J''^,M) holds, where H is defined as follows: 

• U'^i and U*^ arc consistent to the mode A4{x) for each x G X. That is, for 
aU a; G X, U^^i (cc) < U'=='(a;) (resp. =, >) and U'=^(x) < U(x) (resp. =, >) 
if M{x) =y (resp. \), where U'^i(a;) is the component for variable x in 
vector U'^i . 

• For each linear equation P/(X) + Q](X') = c], both A^(P/) and M{Q]) must 
be flat. In this case, P/(U) +Q](U) = cj, P/(U'=i) = P/(U'=^) = P/(U), 
O](U'=0=Q](U'=^) = Q](U). 

• For each linear inequality P/(X) + (5|(X') > c|, according to each possible 
combination oi A4{Pj) and A4{Qp, one of the following nine cases is satisfied: 

- MiPf ) =/ and7W(02) =/. p|(U'=i) < P/(U'=^) < P|(U), g|(U'=i) < 
Q2(u*^^) < Q2(u), and P/(U) + Qp\5) > c], 

- M{P]) =/s.ndM{Qp P/(U'=i) < P/(U'=^) < P/(U), Q|(U^^) = 

g2(U'==) = Q2(U), p2(u) + g2(u) > 

- M{Pf) =/ &ndM{Qp =\. P/(U'=0 < P/(U'=^) < P/(U), QKU'^i) > 

Q2(U'^.) > Q2(u), P2(U) +Q2(U) > 

- M{Pf) =^andX(Q2) =/. pj(u'=i) = P/ (U'^^ ) = P/ (U) , g|(U'=0 < 

Q2(U'==^) < Q2(U), i^2(u) + g2(u) > c% 
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- M{Pf) =^and A^(g2) P/(U'=i) = P/(U'=^) = p2(U), ©^(u'^i) > 
QjiU"-) > Q2(U), if (U) + Q2(u) > c2, 

- A^(P/) ^\andM{Qj) =/. P/(U'=0 > P/(U'=^) > P/(U), 02(u'=i) < 
Q2(U'==) < Q2(u), if (U) + Q2(u) > c% 

- X(p2) =\and>[(g2) P/(U'=i) > P/CU'^^) > P/(U), Q|(U'=i) = 

Q2(U'=.) = Q2(u), p2(U) + Q2(U) > c2, 

- X(P/) =\ and>[(g2) =\. P/(U'=i) > P/(U'=2) > P/(U), g2(u'=i) > 

Q2(U'==^) > Q2(U), p2(U) + Q2(U) > c2. 

Since liinU'^ = U, we have 

Mb > 03U' e [0, 1)™V5' > 03U" e [0, 1)™ 

(ii(U, U', U", A |U' - U| < ^ A |U" - U| < 5') (11) 

Conversely, we can show the following lemma. 

Lemma 3 If there are a U G [0, 1]™ and a mode vector M satisfying formula (11), 

then S has a monotonic (of mode Ad ) and strong Lu-chain in [0, l)™. 

Proof. Assume (11) holds for some U G [0, 1]™ and a mode vector M. That 
is, we can pick a sequence in [0, 1)™ 

W°,---,W'=,--- 

such that, 

• limW'= = U, 

• H(U,W°,W'',M) for each fc > 1. 

According to the fact that HmW*^ = U and the first item in the definition of 
H, we can always pick a subsequence of W*^, ■ • • , W'^, • • • such that each a; G X 
has mode A4{x) on the subsequence. Without loss of generality, we assume that 
W°, • • • , W'^, • • • itself is the subsequence. 

Prom the definition of H , for each linear equation Pj^ (X) + Q j (X' ) = cj , (Pj^ ) 
and M{Q]) must both be flat. In addition, P/(U) + Q](U) = c], P/(W") = 
P^i(W'=) = P/(U), g](W") = Q](W'=) = Q](U). Therefore, W°, • • • , W^ • • • (as 
well as any subsequence) is already a strong w-chain for the conjunction of these 
linear equations. Clearly, each Pj and each Qj are in mode A4{Pj) = A4{Qj) =— > 
on the chain. In the rest of the proof, a "subsequence" always starts from W" . 

For each linear inequality P?(X) + g^(X') > c^, we will show that a subsequence 
of W°, • • • , W*^, ■ • • can be picked such that the subsequence is a strong w-chain of 
the linear inequality, and any subsequence of the subsequence is also a strong uj- 
chain of the linear inequality. In addition, P? and Qj are in modes M{Pj) and 
M{Qj) on the subsequence, respectively. By working on each linear inequality one 
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by one, a subsequence can be eventually picked which is a monotonic (of mode A4) 

and strong w-chain of S. Once this is done, the lemma follows. 

There are nine cases for the mode choices of M{Pj) and M{Q'j). We only 
prove the case when A4{Pj) =\ and Ai{Q^) =/'; all the other cases can be 
shown analogously. In the case, according to the definition of H, for each k > 1, 
P/(W°) > P/CW^) > P/(U), Q2(w") < Q2(w'=) < Q2(u), p2(u)+Q2(u) > cl 
Since limQ2(w'=) = Q^j(V) and limP/(W'=^) = P/(U), if we take Jfc° = 0, then we 
can pick a large enough such that 

• P/(W'='') >P/(W^'), and 

• Q^jiW''") < Q'jiW'''), and 

• Pf{W''°) + Q](W''') > c] (i.e., (W*^°,W*^') satisfies the inequality). 
Similarly, we can pick a large enough k^ > k^ such that 

• P/(W'=') >P/(W'='), and 

• Q2(w'=') <Q2(W'='), and 

• P/(W'=') + Q2(w*^') > c2 (i.e., (W'=\W'=') satisfies the inequality). 

It can be checked that (W*^" , W*^^ ) also satisfies the inequality. This process can 
go on and, as a result, we obtain an infinite sequence 

W'=°,---,W'=',--- 

which satisfies: 

• Pj is in mode M{Pj) =\ on the sequence, 

• Q'j is in mode A4{Q'j) =/ on the sequence, 

• (W'^'^ , W*^'^ ) satisfies the linear inequality for all i\ and ii. 

Therefore, the sequence (as well as any subsequence) is a strong w-chain of the 
linear inequality. □ 

Thus, S has a monotonic (of mode M) and strong tj-chain iff formula (11), 
which is definable in the additive theory of reals, is satisfied by some U G [0, 1]'". 
Hence, 

Lemma 4 Let S be a conjunction of I dense linear equations Pj^(X) + Qj(X') = cj 

and I dense linear inequalities Pj?(X) + (5j(X') > defined in (2,3). Let M. he a 
mode vector on X, Pj,Qj,Pj,Qp 1 < j < I- Then, it is decidable whether S has 
a monotonic and strong ui-chain. 

5. The Existence of w-chains for Discrete Linear Inequalities 

Assume that T is a conjunction of I discrete linear inequalities Pj{Y) + Qj{Y') > 
Cj. Let M. he a, mode vector (on each integer variable, each term Pj, Qj, I < j < 
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I). We use V", and "\" to stand for "unbounded increasing", "flat" and 
"unbounded decreasing" modes, respectively. Assume that 

V° • • • V*' • • • 

is a monotonic and strong w-chain of T. Therefore, 

for any ki < A;2,T(V'=S V*^^). (12) 

(12) implies that, for each 1 < j < I, the mode Ai{Pj) and the mode M.{Qj) only 
have the following five combinations (all the others are not possible): 

• M{Pj) =/ and M{Qi) =/, 

• M{Pi) =^ and M{Qj) =/, 

• M{P^) =\ and M{Qj) =/, 

• M{Pj) =/ and M{Qi) 

• M{Pj) =^ and M{Qj) 

If M{Pj) =^ (resp. M.{Qj) =^), we use pj (resp. qj) to stands for Pj(V°) 
(resp. QjCV")). Similarly, if M.{y) =— we use Vy to denote the component of y 

in yo. Suppose I < ji ^ 32 < I, M{Pj,) -\ and M{Qj,) =/, MiP,^) =/ and 
X(g^.J That is, limPj,(V'=) = -00, limQj,(V'=) = +00, limP„(V'=) = +00, 
and for all k, Qj^iY^) = Qj^. From (12), for ah A: > 0, we can pick V*^^ and V*^^ 
such that T(V'=% V'==), and 

• -k> Pji(V'=i) > Pji(V'=2), and 
. k < Q,dy'') < Q.^iV''-), 

and 

• fc < Pj,(V'=i) < P,-,(V'==), and 

Similar statement can be made for all the valid choices of M{Pj) and M{Qj), 
1 < i < ^ as well as for M{y), y G Y. That is, for all A; > 0, there are V*^^ and 
V''^ such that 

• V*^! and V*^^ are consistent with mode A4{y) for each y £ Y. That is. for all 
y gY, V'^'iy) < V'^^iy) (resp. >) and k < V'^'iy) (resp. Vy = V'^'iy), 
—k > V'^i(y)) if M{y) =/ (resp. \), where V'^i(?/) is the component for 
y in vector V'^^ . 

• For each 1 < i < Z, one of the following items holds: 
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- M{Pj) =/ and M{Qj) =/. In this case, k < Pj{V''') < Pj(V''^) and 

k < QjiV''') < Qj{y'''). 

- MiPj) =^ and M{Q-i) =/. In this case, P,(V*=i) = P,(V'==^) = and 

- 7W(Pj) =\ and M.{Qj) =/. In this case, -k > P,(V'=i) > Pj(V'=2) 
and fc < Qj(V'=i) < QjiV''^). 

- =/ and M{Qj) In this case, k < P,-(V'=i) < Pj{V''^) and 

- 7W(Pj) =^ and X(Qj) In this case, Pj(V'=0 = P,(V'==^) = pj and 

The above statement (replacing Y'^^ with V and V'^^ with V) can be written as 

Vfc3V3V' G{k, C, V, V',M) (13) 

where C represents the tuple of all the constant values Pj and qj , 1 < j < I, and Vy, 
y G Y. Clearly, G is a Presburger formula. Conversely, we can show the following 
lemma. 

Lemma 5 // there are a C and a mode vector M. satisfying (13), then T has a 
monotonic and strong to -chain. 

Proof. Assume (13) holds for some C and a mode vector Ai. For k = 0, 
according to (13), we pick Vq, Vq satisfying G{0, C, Vo, Vq, tW). Take 

fc= max{|P,(V(,)|,|Q,(V(,)|}. 

For this k, according to (13), we pick any satisfying G(A;, C, Vi, , A^). 

What is the relationship among Vq, Vq, Vi, V'l? Clearly, T(Vo, V^,) and r(Vi, V'^) 
hold. More importantly, T(Vo, Vi) must be true. This can be concluded from the 
definition of G and the choice of k and Vi. We can continue the procedure by 
taking 

fc= max{|P,(V;)|,|g,(Vl)|}, 

picking V2, V2 from (13) according to this k, and concluding T(Vi, V2), etc. Fi- 
nally, we obtain an tj-chain Vq, • • • , V^, • • • of T. It is straightforward to verify that 
the chain is monotonic (of mode Ai) and strong. □ 
In summary, for any M, T has a monotonic and strong w-chain iff 

3CVfc3V3V' G{k, C, V, V, M). (14) 

Since G is Presburger, we have, 

Lemma 6 Assume that T is a conjunction of I discrete linear inequalities P) (Y) + 
Qj{Y') > Cj. Let M be a mode vector on Y, Pj and Qj, 1 < j < I. It is decidable 
whether T has a monotonic and strong u) -chain. 

Now, we are ready to put Theorem 1, Lemma 1, Lemma 2, Lemma 4, Lemma 6 
together and conclude the main theorem. 
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Theorem 2 It is decidahle whether a transitive mixed linear relation has an co- 
chain. 

An upper bound for the time complexity of the decidable result in Theorem 2 
can be obtained as follows. Let R be given in (1) whose length is L. One can show 
that the length of formula (11) as well as formula (14) is 0{L) (for any fixed choice 
of A4). Using the complexity result given in [24], the satisfiability of (11) and the 

satisfiability of (14) are decidable in time 2 , for each fixed M.. But since 

there are only (at most) 3™3"33pi33p/ choices for M, whether R has an w-chain is 

still decidable in time 2^ 

Notice that the transitivity in Theorem 2 is critical. The existence of an w- 
chain is undccidablc for mixed linear relations. The undccidability remains even 
for Presburger relations. This is because a Presburger relation can be used to 
encode one-step transitions of a deterministic two-counter machine. The negation 
of the halting problem (which is undccidablc) for the machine can be reduced to 
the existence of an w-chain for the Presburger relation. 

6. Applications 

In this section, wc will study various verification problems for restricted infinite 
state systems containing both dense counters and discrete counters. We start with 
a general model. 

6.1. Mixed linear counter systems 

Let M be a machine that is equipped with a number of dense counters X and 
discrete counters Y and whose transitions involve changing control states while 
changing counter values. A configuration of M is a tuple consisting of a control 
state and counter values. Formally, M is a tuple (5*, X,Y,t) where t is the one- 
step transition such that for each s,s' e S, t(s, X, Y, s', X', Y') indicates that M 
transits from a configuration (s,X, Y) at s to another configuration (s',X', Y') at 
s'. (s',U',V') is reachable irom (s,U,V), written T(s,U,V,s',U',V'), if there are 
k (for some k) configurations (.so, U", V^), • • • , (sfe, U^ V'=) such that (sq, U°, V^) = 
(s,U,V), (sfc,U^V'=) = (s',U',V'), and^(s„U^V^ U*+i, V*+i) for all < 
i < k. In this case, we say that (s, U, V) reaches (s', U', V) through configurations 
(si,U', V), < i < k. Notice that T, called the binary reachability of M, is the 
transitive closure of t. M is a mixed linear counter system if, when s and s' are 
understood as bounded integer variables, 

• t{s, X, Y, s', X', Y') is a mixed linear relation, 

• T(s,X, Y, s',X', Y') is an (obviously transitive) mixed linear relation. 

Now, we assume that M is a mixed linear counter system. Let / and P be 
two subsets of configurations of M both of which are definable by mixed formulas. 
There are two kinds of verification problems we will consider. M is P-safe from 
I if no configuration in I reaches a configuration in P. The mixed linear safety 
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problem for M is to decide whether M is P-safe from I. An infinite sequence of 
configurations 

(5o,u^v"),•••,(sfe,u^v'=),•■• 

of M is P-live from I if the following items hold; 

• (so,UO,VO) e/, 

• there are infinitely many k such that (s/j, U*^, V*^) G P, and 

• for all fc > 0, t(sfc,U'', V*',Sfe+i,U''+\ V''+^). That is, the sequence is an 
infinite execution of M. 

M is P-live from I if there is an infinite sequence of configurations that is P-live 
from /. The mixed linear liveness problem for M is to decide whether M is P-live 
from I. 

These two problems can be further generahzed. Let /, Pi,---,Pk be subsets 
of configurations of M definable in mixed formulas. The fc-mixed linear safety 
problem for M is to decide whether no configuration in / reaches a configuration in 
Pfc through some configurations Ci, Ck-i in Pi, Pfe-i respectively. The fc-mixed 
linear liveness problem for M is to decide whether there is an infinite execution of 
M that is Pi-live from / for each 1 < i < k. The A;-mixed linear safety (resp. 
liveness) problem is exactly the mixed linear safety (resp. liveness) problem, when 
fc = 1. 

Theorem 3 (1). The k-mixed linear safety problem for mixed linear counter sys- 
tems is decidable for each k. (2). The k-mixed linear liveness problem for mixed 
linear counter systems is decidable for each k. 

Proof. Let M be a mixed linear counter system with states S and one-step 
transition t, I and Pi, • • • , P^ be sets (definable by mixed formulas) of configurations 
of M. The proof of (1) is straightforward, since one can show that the set of 
configurations cq satisfying: 

• Co in I, 

• there are configurations ci G Pi,...,Ck € Pk such that cq reaches Cfe through 
ci,...,Cfe_i; i.e., T(co, ci),...,T(cfe-i, Cfe), 

is definable in a mixed formula (its satisfiability is decidable). Now, we look at (2). 
Define a formula T as follows. T(s, X, Y, s', X', Y') is true iff there are configura- 
tions (si,Xi,Yi),---,(sfe,X'=,Y'=) such that, 

• (s, X, Y) is reachable from some configuration in 7, 

• (si,X', Y') satisfies Pj, for each l<i<k, 

• (s,X,Y) reaches (si,Xi,Yi) (i.e., T(s,X, Y,si,Xi, Y^)), 

• (si,X% Y*) reaches (s,+i, X*+i, Y*+i), for each l<i<k, 

• (sfc,X'=,Y'=) reaches (s',X',Y'). 
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Since M is a mixed linear counter system, it is not hard to see that T is a transitive 
mixed linear relation. (2) follows from Theorem 2, noticing that T has an w-chain 
iff there is an infinite execution of M that is Pj-live from / for each 1 < i < k. □ 

Consider the eventuality problem: is there an infinite execution of M that starts 
from some configuration in / such that P is satisfied somewhere on the execution? 
The problem is a special case of the mixed linear liveness problem. To see this, let 
/' be the set of configurations that are reachable from I and satisfy P. Obviously, 
the eventuality problem is equivalent to the problem whether M is true-live from /', 
which is dccidablc {true stands for the set of all configurations) from Theorem 3. We 
can modify the eventuality problem as follows: is there an infinite execution of M 
that starts from some configuration in I such that P is satisfied by each configuration 
on the execution? Unfortunately, this modified problem is undecidable for M, even 
when M is a discrete timed automaton (cf. [12] for a proof). 

In practice, there are many counter models that have been found being mixed 
linear. Applying Theorem 3 on these systems gives a number of new decidability 
results concerning safety /liveness verification. We first recall some definitions. 

A timed automaton .4. is a tuple 

{S, {xi,---, Xm},C, Inv, R, C), 

where 

• 5 is a finite set of (control) states, 

• xi, - ■ ■ ,Xm are (dense) clocks, 

• C is the set of all clock constraints over clocks xi, - ■ ■ , Xm', i-e., boolean combi- 
nations of formulas in the form of Xi — a;j ~ d or a;, ~ where d is an integer, 
~ stands for <, >, <, >, =. 

• Inv : S ^ C assigns a clock constraint over clocks xi, - ■ ■ ,Xm, called an 
invariant, to each state, 

• i? : 5 X 5 — > 2^^!'' "'^'"^ assigns a subset of clocks to a directed edge in S x S, 

• C : S X S ^ C assigns a clock constraint over clocks xi, - ■ ■ , Xm, called a reset 
condition, to a directed edge in S x S. 

The semantics of A is defined as follows. A configuration (s, U) is a pair of a control 
state s and a tuple U of clock values. A transition is either a progress transition or a 
reset transition. A progress transition makes all the clocks synchronously progress 
by a positive amount, during which the invariant is consistently satisfied, while 
the automaton remains at the same control state. A reset transition, by moving 
from state si to state S2, resets every clock in R{si,S2) to and keeps all the 
other clocks unchanged. In addition, clock values before the transition satisfy the 
invariant Inv{si) and the reset condition C(si, S2); clock values after the transition 
satisfy the invariant Inv{s2). In particular, when the clocks are integer-valued 
(and hence clocks are incremented by some positive integral amount in a progress 
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transition), A is called a discrete timed automaton. The following characterization 

has recently been estabUshed [8]. 

Theorem 4 Timed automata, as well as discrete timed automata, are mixed linear 
counter systems. 

Hence, from Theorem 3, the following corollary is obtained. 

Corollary 1 (1). The k-mixed linear safety problem is decidable for timed au- 
tomata as well as for discrete timed automata [8]. 

(2) . The k-mixed linear liveness problem is decidable for discrete timed automata 
[12]. 

(3) . The k-mixed linear liveness problem is decidable for timed automata. 

A (free) counter is an integer variable that can be tested against 0, incremented 
by 1, decremented by 1, and stay unchanged. A timed automaton can be augmented 
with counters by integrating a reset transition with a counter operation. A counter 
in a timed automaton is reversal-bounded if there is a number r such that, during 
any execution of the automaton, the counter changes mode between nondecreasing 
and nonincreasing for at most r times. Let ^ be a timed automaton augmented 
with a finite number of reversal-bounded counters and one free counter. Now, a 
coufigmation (s, U, V) of ^ is a tuple of a control state s, dense clock values U and 
counter values V. When A does not contain any clocks, it is a finite automaton 
augmcmted with reversal-bounded counters and one free counter. 
Theorem 5 (T). Discrete timed automata augmented with reversal-hounded coun- 
ters and one free counter are mixed linear counter systems [10]. 

(2). Timed automata augmented with reversal-bounded counters and one free 
counter are mixed linear counter systems [9]. 
Hence, from Theorem 3, the following corollary is obtained. 

Corollary 2 (1). The k-mixed linear safety problem is decidable for discrete timed 
automata augmented with reversal-bounded counters and one free counter [10]. 

(2) . The k-mixed linear safety problem is decidable for timed automata aug- 
mented with reversal-bounded counters and one free counter [9]. 

(3) . The k-mixed linear liveness problem is decidable for finite automata aug- 
mented with reversal-bounded counters and one free counter [11]. 

(4) . The k-mixed linear liveness problem is decidable for timed automata (as well 
as discrete timed automata) augmented with reversal-bounded counters and one free 
counter. 

Corollary 1 (3) and Corollary 2 (4) are new decidability results. One shall 
notice that the loop analysis techniques presented in [12, 11] to show Corollary 
1 (2) and Corollary 2 (3) can not be easily used to prove our new results. The 
corollaries can be used to automatically verify a class of non-region safety and 
liveness properties that, previously, could not be done using the traditional region 
technique [2]. Below, we look at an example of liveness verification. Consider 
a system S of two concurrent processes Si and ^2. The two processes may use 
a counting semaphore to perform concurrency control. In some applications, we 
would like to ensure that the concurrency control makes S starvation- free; i.e., it is 
not possible that the composite system S, starting from some initial configuration. 
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executes for some finite number of steps and then Si solely executes forever (in 
this case, 5*2 starves). We use S' to denote the system that behaves hke S then, 
nondeterministically, behaves like Si afterwards. It is observed that ^2 starves iff S' 
has an w-chain (i.e., S' is trwe-live from the initial configuration). Now, we suppose 
that Si and ^2 are real-time processes modeled as discrete timed automata. A 
free counter is used for the counting semaphore. From Corollary 2 (4), whether ^2 
starves can be automatically verified. 

Besides mixed linear safety/liveness problems, one may also be interested in a 
class of boundcdncss problems as below. Let M be a mixed linear counter system 
with dense counters X and discrete counters Y. Let / be a set of configurations 
definable in a mixed formula. We use I to denote a linear combination of X and 
Y; i.e., / = T,aiXi + '^bjyj + c with a^, bj, c integers. Let li, Ip be p such linear 
combinations. Arc there numbers Bi, .... Bp such that, starting from a configuration 
in /, M can only reach a configuration satisfying li < Bi for each 1 < i < p! This 
boundedness problem can be easily shown decidable, since the question is equivalent 
to the satisfiability (for Bi, Bp) of the following mixed formula: Va,/? : a S 
/ A T(a, /3) — > "/3 satisfies li < Bi for each I < i < . One may also ask a slightly 
different question: 

(*) For each infinite execution starting from /, are there p > 1 numbers 
Bi, ...,Bp such that every configuration on the execution satisfies k < Bi 
for each 1 < i < p? 

We call this question as the mixed linear boundedness problem, whose decidability 
is not obvious. 

Theorem 6 The mixed linear boundedness problem is decidable for mixed linear 
counter systems. 

Proof. Let M be a mixed linear counter system. Without loss of generality, 
we assume p = 1 (the other cases for p are similar). That is, we are given one 
linear combination I. An infinite execution is unbounded for I if for any B there is 
some configuration on the execution satisfying I > B. It suffices for us to consider 

the negation of the question statement (*): whether there is an unbounded infinite 
execution starting from /. The proof uses the idea of Theorem 3. Define a formula 
T as follows. T(s, X, Y, s', X', Y') is true iff the following two items are true: 

• (s,X, Y) is reachable from some configuration in /, 

• (s,X,Y) reaches (s',X',Y'); i.e., r(s, X, Y, s', X', Y'), 

• Z(X,Y) + 1<Z(X',Y'). 

The result follows immediately, noticing that T is a transitive mixed linear relation 
and T has an w-chain iff M has an unbounded infinite execution from /. □ 
Prom their proofs. Theorem 6 and Theorem 3 (2) can be combined. For instance, 
the following question is decidable: is there an infinite execution of M that is P-live 
from I and that is unbounded for Z? 
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Notice that, in (*), the bounds Bi, ...,Bp are not uniform over all the infinite 
executions. To make them vmiform, one might ask another different question by 
switching the quantifications in (*): 

(**) Are there numbers Bi, ...,Bp such that, for each infinite execution 
starting from I, every configuration on the execution satisfies < Bi 
for each 1 < i < p? 

Currently, we do not know whether (**) is decidable or not. We leave this as an 
open question. However, the following question (by making Bi, Bp in (**) fixed, 
e.g., 0) 

is it true that, for each infinite execution starting from /, every config- 
uration on the execution satisfies k <0 for each 1 < i < p? 

is decidable, since its negation is equivalent to an eventuality problem. 

One can easily find applications for Theorem 6. For instance, consider a system 
with two concurrent real-time processes running on one CPU. The processes are 

modeled as two discrete timed automata using a lock semaphore to achieve con- 
currency and using clocks to enforce timing constraints. The system is designed to 
be non-terminating and some fairness constraints are expected. We use ti (resp. 
t2) to denote the total time that process 1 (resp. process 2) takes the CPU so 
far. One such constraint could be as follows. There is no infinite execution of 
the system on which the difference \ti — t2\ is unbounded. This constraint can be 
automatically verified due to Theorem 6 and the fact, from Theorem 5, that the 
system, a discrete timed automaton augmented with two monotonic (and hence 
reversal-bounded) counters ti and t2, is a mixed linear counter system. 

6.2. Timed pushdown systems 

There has been miich interesting work on various verification problems for push- 
down systems [4, 5, 6, 9, 10, 11, 13, 14]. Studying pushdown systems is important, 
since they are directly related to recursive programs and processes. In this sub- 
section, we will study pushdown systems with discrete clocks and reversal-bounded 
counters. Safety verification for these systems is discussed in [10]. Here, wc investi- 
gate the mixed linear liveness problem (since now we have only discrete variables, 
we call the problem as the Presburger liveness problem). 

As we mentioned before, a timed automaton can be augmented with reversal- 
bounded counters. Here we only consider discrete clocks that take integer val- 
ues. The discrete timed automaton can be further augmented with a pushdown 
stack. The resulting machine A is called a discrete pushdown timed automaton 
with reversal-bounded counters. In addition to counter operations and clock op- 
erations, A can push a symbol on the top of the stack, pop the top symbol from 
the stack, and test whether the top symbol of the stack equals some symbol. A 
configuration of .4 is a tuple of a control state, discrete clock values, counter values, 
and a stack word. The binary reachability T is the set of configurations pairs such 
that one can reach the other in A. Each stack word w corresponds to an integer 
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tuple n = (n„i , • • • , riai ), where {a^, • • • , a'} is the stack alphabet and each count 

n^i stands for the number of symbol a* in w. The tuple n is also called the stack 
word counts for w. In this way, a set C of configurations corresponds to a predicate 
on states, clock values, counter values, and stack word counts. C is Presburger if 
the predicate is definable by a Presburger formula. C is commutative if, for any 
configurations c and c' satisfying that c and a' are the same except that the stack 
word in c is a permutation of the stack word in c', c G C iff c' e C. In this case, 
the predicate exactly characterizes the set C. Let / and P be two Presburger sub- 
sets of configurations. We say A is P-live from I if there is an infinite sequence 
c°, • • • , c^ • • • such that (1). c° G /, (2). for all A: > 0, T{c'', c'=+^), and (3). c*^ G P 
for infinitely many k. The Presburger liveness problem for A is whether A is P-live 
from I, given / and P two Presburger subsets of configurations. 
Theorem 7 The Presburger liveness problem for discrete pushdown timed automata 
with reversal-bounded counters is decidable. 

Proof. Let ^ be a discrete pushdown timed automaton with reversal-bounded 
counters. We use Y to denote the discrete clocks and counters in A. We use n 

to denote an integer tuple of stack word counts. Let I and P be two Presburger 
subsets of configurations of A. Define T as follows. T(s, Y, n, a, s', Y', n', a') is 
true iff there are two stack words w and w' (called witnesses) such that 

• (Condition 1) w is a (not necessarily proper) prefix of w' , 

• (Condition 2.1) w ends with stack symbol a (i.e., a is the top symbol of the 
stack word w), 

• (Condition 2.2) w' ends with stack symbol a', 

• (Condition 3.1) n is the stack word counts for w, 

• (Condition 3.2) n' is the stack word counts for w' , 

• (Condition 4) configuration (s, Y, w) is reachable from some configuration in 
I, 

• (Condition 5) configuration (s, Y, w) reaches configuration (s', Y', w') through 
a sequence of moves in A, during which the top symbol a of w is not popped 
out and during which there is a configuration in P. 

Assume that w" and w'" witness T(s, Y, n, a, s', Y', n', a'). Observe that, for any 
w satisfying (Condition 2.1), (Condition 3.1) and (Condition 4), w and w' = w + 
{w'" — w") (i.e., w concatenated with the result of deleting the prefix w" from 
w'") also witness 7'(s, Y, n, a, s', Y', n', a'). The reason is as follows. According to 
(Condition 5), the top a of w" will not be popped out. That is, the content (instead 
of counts) of w/' is insensitive to (Condition 5). Therefore, (Condition 5) still holds 
when w" is replaced with w as long as the prefix w" of w/" is also replaced with w; 
i.e., (Condition 5) still holds for w and w' . This observation will be used in proving 
the following claim. 



20 



(Claim 1) T has an w-chain iff A is P-live from /. 

Proof of (Claim 1). {=>). Assume T has an w-chain 

(so, Vo,no,ao), • • • , (s^, Vfc,nfc,afe), • • • . 

Therefore, for each k, we have a pair of stack words Wk and w'^. that witness the 
fact of T(sfc, Vfe,n/;,afe,Sfe+i, V/;+i,nfe+i,afc+i). Now, take Wq = wq, and for all 
k > 1, w'l^ = wq + {w'q — Wo) + ■ ■ ■ + (^«^_l — Wk^i)- Using the above observation, 
it can be easily shown that, for any A; > 0, w'^ and 'w'j^_^-^ witness 

^(sfe , Vfe , n/s , a/s , Sk+i , V/s+i , nfe+i , ak+i ) • 

Applying (Condition 4) on configuration (sq, Vo,Wq) and (Condition 5) on config- 
urations {sk, V/s, w'^) and {sk+i,^k+i,w'^+i) for all fc > 0, we can show A is P-live 
from /. 

{<=)■ Assume A is P-live from I. That is, there is an infinite sequence c*^, • • ■ , 
c'^,--- such that (1). c" e /, (2). for all fc > 0, r(c'=, c'^+i), and (3). c'' e P for 
infinitely many k. Without loss of generality, we assume that A leads Cfc to Cfc+i by 
running exactly one move, for all fc > 0. Therefore, the stack word Wk in Cfc and the 
stack word Wk+i in Ck+i satisfy one of the following conditions: (1). Wk = Wk+ia; 
i.e., the move pops a for some symbol a, (2). Wk+i = Wka; i.e., the move pushes a 
for some symbol a, (3). Wk+i = Wk] i.e., the move does not change the stack. Notice 
that the stack has a special bottom symbol Zq] i.e., every Wk starts with Zq. The 
following technique has been used in several places (e.g., [18, 5]). For the sequence 
of the stack words wo, • ■ • , w^;, ■ • ■, define a strictly increasing sequence ko, ■ ■ ■ , ki, ■ ■ ■ 
as follows. 

fco is picked such that Wk„ is a prefix of each Wk with fc > 0; 

ki > ka is picked such that Wk^ is a prefix of each Wk with fc > fco; 

fc2 > fci is picked such that Wk2 is a prefix of each Wk with fc > fci ; etc. 
Such a sequence always exists. Clearly, each is a prefix of Wfei+i and from 
configuration Cfe^ to configuration c^.^j, the top symbol of Wfe. is not popped out. 
Since there are infinitely many fc with Ck G P, there is a strictly increasing sequence 

■ • • , P, ■ ■ ■ such that, for all j, there is a fc satisfying Ck & P and k^ < fc < k^+i . 
For each j > 0, we use (sj, Vj, nj, aj) to denote the control state, clock and coimtcr 
values, the count vector of the stack word, and the top symbol of the stack word, 
respectively in configuration Ck.j ■ It is left to the reader to check 

(so,Vo,no,ao),---,(sj,Vj,nj,aj),--- 

is an w-chain of T, where, for all j > 0, T{sj,'Vj,nj,aj,Sj+i,Yj+i,nj+i,aj+i) is 
witnessed by Wk.j and Wk.^^i ■ 

Therefore, (Claim 1) is proved. Next, we are going to show that, 

(Claim 2). T{s, Y,n, a, s',Y',n', a') is a Presburger formula (when s,s',a,a' 
are understood as bounded integer variables). 

Proof of (Claim 2). We build a machine M that accepts the domain (which 
are integer tuples) of T. Then we argue that integer tuples accepted by M are 
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definable by a Presburger formula. M is a machine witii a one-way input tape and 
a pushdown stack. is also equipped with a number of counters, among which 
each clock in A corresponds a clock- counter \a M and each reversal-bounded counter 
in A corresponds to a rv- counter m M. In addition, M contains a count-counter for 
each stack symbol and contains a number of other auxiliary counters. Whenever M 
pushes a to (resp. pops a from) the stack, the count-counter for a is incremented 
(resp. decremented) by one. So, a count-counter is used to record the number of a 
stack symbol in a stack word. M works as follows. Given an input 

(s, Y, n, a, s', Y', n', a') 

on M's input tape, where each integer in the above tuple is encoded as a unary 
string and separated by a delimiter, M. starts to simulate A as follows. M guesses 
a control state for A, a value for each clock-counter and a value for each rv-counter. 
At this moment, M makes sure that the stack is empty and each count-counter is 
0. Then M guesses a stack word (by nondeterministically pushing symbols) and 
updates the count-counters accordingly. At some moment, M decides that / is 
satisfied by checking that the guessed control state, the clock-counter values, the 
rv-counter values, and the count-counters satisfy /. Doing this needs some auxiliary 
counters and needs only a finite number of counter reversals, since / is Presburger 
[19]. When this is checked out, M starts to simulate A (from the guessed state) 
using its own stack for the stack in A, its own clock-counters for the clocks in A 
and its own rv-counters for the reversal-bounded counters in A. All the transitions 
of A are faithfully simulated by M. In addition, whenever A pushes a to (resp. 
pops a from) the stack, M increments (resp. decrements) the count-counter for a 
by one. Nondeterministically at some moment, M decides to read the input tape 
by suspending the simulation. Then, M makes sure that the first half of the input 
(s, Y, n, a) are consistent with the current configuration of A. That is, the control 
state of A (remembered in A^'s finite control) is s, clock-counters and rv-counters 
have the same values as in Y (doing this needs auxiliary reversal-bounded counters), 
the stack top symbol is a, and count-counters have the same values as in n (doing 
this also needs auxiliary reversal-bounded counters). When these arc checked out, 
(Condition 2.1), (Condition 3.1) and (Condition 4) are satisfied for the current 
configuration (s, Y, n, a) of A. 

Then, M replaces the stack top symbol a with a new symbol a and resumes 
the simulation of A. M makes sure that the simulation afterwards will not pop 
the new symbol out of M's stack. Nondeterministically at some moment later, M 
decides that the current configuration of A satisfies P. M checks that this is indeed 
true using its own counters. Similar to the previous scenario for /, this checking 
needs only a finite number of counter reversals and needs other auxiliary reversal- 
bounded counters. When this is checked out, M resumes the simulation of A. 
Again, nondeterministically at some moment later, M shuts down the simulation 
and compares the rest of the input tape (s', Y', n', a') with the control state of A in 
M's finite control, the clock-counter and rv-counter values of M, the count-counter 
values, and the top symbol of the stack. The comparisons make sure that (Condition 
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1), (Condition 2.2), (Condition 3.2) and (Condition 5) are satisfied by the current 
configuration of A. M accepts tlie input if the comparisons are successful. Clearly, 
M accepts exactly the domain of T. 

What are the counters in Ml they are clock-counters, rv-counters, count- 
counters, and a number of other auxiliary reversal-bounded counters. AH of them 
are reversal-bounded except the clock-counters and the count-counters. Each count- 
counter Ua can be treated as the difference n^ — n~ of two reversal-bounded counters 
n+ and n~: n+ (resp. n~) is used to record the number of pushes (resp. pops) 
of a. So, each count-counter can be simulated by two reversal-bounded counters. 
How about clock-counters? In [10] (see also its full version), a technique is pro- 
posed such that, as far as binary reachability is concerned, discrete clocks can be 
simulated by reversal-bounded counters Therefore, clock-counters can be made 
reversal-bounded from the start of simulating A to the moment checking P, and, 
from the moment checking P to shutting down A. Hence, M only has reversal- 
bounded counters as well as a pushdown stack. Therefore, M is a reversal-bounded 
multicounter machine with a pushdown stack and a one-way input tape (NPCM). 
It is known that NPCMs accepts semilincar languages [19]. In particular, since 
M accepts a language in the form of integer tuples, the language is definable by a 
Presburger formula [19]. Hence, T is Presburger. Therefore, (Claim 2) is proved. 

Since a Presburger formula is a special form of a mixed linear relation. Theorem 
7 is followed from (Claim 1), (Claim 2), and Theorem 2. □ 

We are not able to extend the result of Theorem 7 to dense clocks. The pattern 
technique [9] that abstracts a dense clock into a discrete clock and a pattern does not 
apply here. This is because the abstraction maintains the exact binary reachability 
of dense clocks, but does not maintain the exact dense clock values between the 
binary reachability. Timed pushdown systems with reversal-bounded counters dealt 
in Theorem 7 also have a lot of applications. For instance, it can be used to model 
some real-time recursive concurrent programs. The reversal-bounded counters can 
also be used to count the number of external events - these counts can be later used 
to specify some fairness constraints on the environment. 

7. Conclusions 

In this paper, we showed that it is decidable whether a transitive mixed linear 
relation has an w-chain. Using this main theorem, we were able to establish, within 

a unified framework, a number of liveness verification results on generalized timed 
automata. More precisely, we proved that (1) the mixed linear liveness problem for 
timed automata with dense clocks, reversal-bounded counters, and a free counter is 
decidable, and (2) the Presburger liveness problem for timed automata with discrete 
clocks, reversal-bounded counters, and a pushdown stack is decidable. The results 
can be used to analyze some fairness constraints (e.g., livelock-free and starvation- 
free) for infinite-state concurrent systems. 

Our results are useful in formulating a decidable subset of linear temporal logic 

"More precisely, discrete clocks in A can be replaced by reversal-bounded counters (the result 
is called A') such that, whenever ci can reach C2 in A, ci can reach C2 in A' [10]. 
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(LTL) for a class of timed automata augmented with counters. Let ^ be a timed 

automaton with dense clocks, reversal-bounded counters, and a free counter. The 
set of linear temporal logic formulas Lj^ with respect to A is defined by the following 
grammar: 

4,:=P\-^4>\4>K4>\04>\4>V4> 

where P is a set of configurations of A definable by a mixed formula (on control 
states, dense clocks, reversal-bounded counters, and the free counter). Q denotes 
"next" , and V denotes "until" . Formulas in Lj^ are interpreted on infinite execution 
sequences p of configurations of A in the usual way. This logic is very similar to 
the Presburger LTL for timed automata with discrete clocks [12] except that P is 
a mixed formula instead of a Presburger formula. 

The satisfiability-checking problem is to check, given A and cp G whether 
there exists an infinite execution p oi A with p ^ (f). From Corollary 2, the 
satisfiability-checking problems are decidable for the following LTL formulas: 

• I A nop. 

• I A OP. 

• I AOOP ADOQ. 

In our previous paper [12], the first two items as above were shown but only for 
timed automata with discrete clocks. In the same paper, the last item as above was 
left open. 

Some work needs to be done in the future in formulating an exact decidable 
subset (broader than the subset in Comon and Cortier [7]) of £^ for satisfiability- 
checking. Notice that the entire C_a is undecidable for satisfiability-checking/model- 
checking, even when the next operator is dropped from the logic. This is because the 
satisfiability-checking problem for DP is undecidable, when ^ is a discrete timed 
automaton, as shown in [12]. 

A similar decidable subset of LTL formulas Cj, could be formulated for discrete 
timed pushdown systems, by combining Theorem 7, the results in [10] and [20]. 
Another issue is on the complexity analysis of the decision procedures presented in 
Theorem 3 and Theorem 7. However, this issue is related to the complexity for the 
emptiness problem of NPCMs, which is still unknown, though it is believed that it 
can be derived along Gurari and Ibarra [15]. 
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